You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are @purseclab, and we are fuzzing Rust crates to identify memory violation bugs. Although we are aware that this crate is unmaintained, we noticed on crates.io that it is still being downloaded. Therefore, we decided to report a memory violation bug we discovered.
The PoC below causes a double-free memory violation.
We believe this bug is caused by slice_deque::IntoIter::clone, which creates a new iterator, iter2, without invalidating or deallocating the existing iterator, iter1. As a result, both iterators point to the same elements. If these elements implement the Drop trait, a double-free memory violation occurs when the iterators go out of scope.
How to Build and Run the PoC:
cargo +1.77.0-x86_64-unknown-linux-gnu run
Output:
free(): double free detected in tcache 2
Aborted (core dumped)
Hello,
We are @purseclab, and we are fuzzing Rust crates to identify memory violation bugs. Although we are aware that this crate is unmaintained, we noticed on crates.io that it is still being downloaded. Therefore, we decided to report a memory violation bug we discovered.
The PoC below causes a double-free memory violation.
PoC:
Bug Description:
We believe this bug is caused by
slice_deque::IntoIter::clone, which creates a new iterator,iter2, without invalidating or deallocating the existing iterator,iter1. As a result, both iterators point to the same elements. If these elements implement the Drop trait, a double-free memory violation occurs when the iterators go out of scope.How to Build and Run the PoC:
cargo +1.77.0-x86_64-unknown-linux-gnu runOutput:
Details:
The text was updated successfully, but these errors were encountered: